A method of communicating over a network between first and second endpoints, one being and the other being a server. The method comprises: establishing a first secure transport layer channel between the first and second endpoints, establishing a second secure transport layer channel between the first endpoint and a middlebox to which the first endpoint is to delegate processing of the traffic sent over the first secure transport layer channel; the first endpoint validating the middlebox via the respective second secure transport layer channel, and on condition of said validation sharing the encryption key of the first channel with the middlebox via the second secure transport layer channel; and causing the traffic sent over the channel to be routed via the middlebox. The method thereby enables the middlebox to process, in the clear, content of the traffic sent over the first channel.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of communicating over a network between a first endpoint and a second endpoint, the first endpoint being a client device or a server and the second endpoint being the other of the client device and server, the method comprising: establishing a first secure transport layer channel between the first and second endpoints, the first secure transport layer channel being defined by a first cryptographic key required to access content of traffic sent over the first secure transport layer channel; establishing a second secure transport layer channel between the first endpoint and a first middlebox to which the first endpoint is to delegate processing of the traffic sent over the first secure transport layer channel, the second secure transport layer channel being defined by a second cryptographic key required to access content sent over the second secure transport layer channel; the first endpoint validating the first middlebox via the respective second secure transport layer channel, and on condition of said validation, sharing the first cryptographic key with the first middlebox via the second secure transport layer channel; causing the traffic sent over the second secure transport layer channel to be routed via the first middlebox of the first endpoint and a second middlebox associated with the second endpoint; the method thereby enabling the first middlebox to process, in the clear, content of the traffic sent over the first secure transport layer channel using the first cryptographic key.
2. The method of claim 1 , wherein each of the first and second transport layer channels is a TLS channel.
3. The method of claim 1 , wherein said validation comprises confirming that the first middlebox is provided by an intended party.
4. The method of claim 1 , wherein said validation comprises authenticating that the first middlebox is provided by trusted party.
5. The method of claim 1 , wherein said validation comprises confirming that the first middlebox provides an intended service.
6. The method of claim 1 , wherein the first middlebox comprises one of: a virus scanner, a child safety filter, an intrusion detector, a compression proxy, audio or video transcoder, an HTTP proxy, an application-layer load balancer, and/or a cache.
7. The method of claim 1 , wherein the traffic is caused to be routed via the first middlebox by suppling the second endpoint with an IP address or domain name of the first middlebox as a contact address of the first endpoint, or by configuring the network to redirect traffic addressed to the first endpoint to the first middlebox.
8. The method of claim 1 , comprising said client and at least one further client communicating with the server via said first secure transport layer channel as part of a same multiparty communication session.
9. The method of claim 1 , wherein the first middlebox runs within a secure enclave of the network equipment upon which the first middlebox is implemented.
10. The method of claim 1 , wherein the first endpoint is the client and the second endpoint is the server.
11. The method of claim 10 , wherein the establishment of the first secure transport layer channel comprises the client sending a message to the server via the first middlebox, and wherein the message comprises a TLS Extension configured to cause the first middlebox to begin a handshake with the client to perform said establishing of the second secure transport layer channel.
12. The method of claim 1 , wherein the first endpoint is the server and the second endpoint is the client.
13. The method of claim 1 , comprising: for each respective one of the first and second endpoints, establishing a different respective second secure transport layer channel between the respective endpoint and a respective middlebox to which the respective endpoint is to delegate processing of the traffic sent over the first secure transport layer channel, each second secure transport layer channel being defined by a different respective second cryptographic key required to access content sent over the respective second secure transport layer channel; and each of the first and second endpoints validating its respective middlebox via the respective second secure transport layer channel, and on condition of said validation sharing the first encryption key with the respective middlebox via the respective second secure transport layer channel; and the method thereby enabling the middleboxes of both endpoints to process content of the traffic sent over the first channel using the first cryptographic key.
14. The method of claim 1 , wherein a chain of multiple middleboxes are included in the first secure transport layer channel, each introduced using a different respective second secure transport layer channel according to a respective instance of said method.
15. The method of claim 14 , wherein said chain comprises multiple middleboxes of the first endpoint, each introduced using a different respective second secure transport layer channel according to a respective instance of the method of any of claims 1 to 12 .
16. The method of claim 14 , wherein said chain comprises additional middleboxes of the second endpoint, each introduced using a different respective second secure transport layer channel according to a respective instance of the method of claim 13 .
17. The method of claim 14 , comprising enforcing an order in which the middleboxes receive the traffic by: sending the traffic using a different respective per-hop encryption key to encrypt the traffic over each hop between endpoint and middlebox and each hop between middleboxes.
18. The method of claim 1 , wherein said network comprises the Internet.
19. A computer program product embodied on computer readable storage device and executable by one or more processors to perform operations comprising: establishing a first secure transport layer channel between the first and second endpoints, the first secure transport layer channel being defined by a first cryptographic key required to access content of traffic sent over the first secure transport layer channel; establishing a second secure transport layer channel between the first endpoint and a first middlebox to which the first endpoint is to delegate processing of the traffic sent over the first secure transport layer channel, the second secure transport layer channel being defined by a second cryptographic key required to access content sent over the second secure transport layer channel; the first endpoint validating the first middlebox via the respective second secure transport layer channel, and on condition of said validation, sharing the first key with the first middlebox via the second secure transport layer channel; and causing the traffic sent over the second secure transport layer channel to be routed via the first middlebox of the first endpoint and a second middlebox associated with the second endpoint; the method thereby enabling the first middlebox to process, in the clear, content of the traffic sent over the first secure transport layer channel using the first cryptographic key.
20. A computer system comprising at least the first endpoint programmed to perform operations comprising: establishing a first secure transport layer channel between the first and second endpoints, the first secure transport layer channel being defined by a first cryptographic key required to access content of traffic sent over the first secure transport layer channel; establishing a second secure transport layer channel between the first endpoint and a first middlebox to which the first endpoint is to delegate processing of the traffic sent over the first secure transport layer channel, the second secure transport layer channel being defined by a second cryptographic key required to access content sent over the second secure transport layer channel; the first endpoint validating the first middlebox via the respective second secure transport layer channel, and on condition of said validation, sharing the first key with the first middlebox via the second secure transport layer channel; and causing the traffic sent over the second secure transport layer channel to be routed via the first middlebox of the first endpoint and a second middlebox associated with the second endpoint; the method thereby enabling the first middlebox to process, in the clear, content of the traffic sent over the first secure transport layer channel using the first cryptographic key.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 30, 2017
August 20, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.